ARP - Address Resolution Protocol - Same Network

What is ARP?
ARP stands for Address Resolution Protocol which is used to find the MAC (Media Control Access) address of a device. It works between the layer 2 (Data link layer) and layer 3 (Network layer) of the OSI model.

What is MAC address?
MAC address is also called as physical address is a globally unique 12-digit hexadecimal value mounted on a network interface card. It helps to identify the device on a network.

Why you need IP as well as MAC address?

IP ADDRESS MAC ADDRESS
4 Octet – 8 Bits each 12-Digit HexaDecimal
Can be Changed Cannot be Changed
Locates Device on the Network Identifies the Actual Device

Assume that we are using only MAC address to communicate with each other.

  • Router/Switch should maintain a table with many entries (in millions)
  • Broadcasting message would be impossible
  • It doesn’t allow grouping of devices

How ARP works?
ARP process in Same Network – explained Step by Step.



Consider above Network Topology.

Computer A (192.168.1.2) wants to communicate (ping) with Computer B (192.168.1.3) but it doesn’t know 192.168.1.3's MAC Address.

Step 1: When Computer A (1.2) pings Computer B (1.3), it creates a Frame/Packet as follows

Payload Protocol Src IP Dst IP Src MAC Dest MAC
Random Data ICMP 192.168.1.2 192.168.1.3 50:00:22:22:22:22 ----------

Note : In this Article you may notice us using terms like 'Packets' or 'Frames'. Eventhough technically the are not same, in this context we ll assume they mean the same (i.e : For now, Packet = Frame). We may use it interchangeably in the article. Not to be confused with that. Also instead using the full IP address like '192.168.1.2' we may refer '1.2' just to save our time. Now Goahead!

Step 2: Before sending the actual ping request the Computer-A(1.2) needs to resolve Destination MAC Address. So, it sends ARP Request as a Broadcast.



Note that 00:00:00:00:00:00 , FF:FF:FF:FF:FF:FF are reserved mac addresses.
Here, 00:00:00:00:00:00 is used as a place holder and FF:FF:FF:FF:FF:FF is broadcast mac address.

If you could see the above image. The Section that starts with “Ethernet II” is the header of the ARP request. So now we ll know the fact that ARP request will have only the MAC header and not the IP header along. From the above images we can understand this ARP request is sourced from the device whose MAC address is 50:00:22:22:22:22. Since the PC wants this ARP request to reach all the device the LAN network it initiates the ARP request with destination MAC address FF:FF:FF:FF:FF:FF. It makes sense. Isn’t it?

The next section which we can see as “Address Resolution Protocol (Request)” is the payload of ARP Request. Looking inside the payload we can see bunch of parameters in which five parameters are important to understand.

Opcode : If it is set to ‘1’ then it’s an ARP request.
Sender MAC : MAC address of the sender. Here it is 50:00:22:22:22:22
Sender IP : IP address of the sender. Here it is 192.168.1.2
Target MAC : For now it is 00:00:00:00:00:00 which is acting like a placeholder as I told you before.
Target IP : Whose MAC address the Sender is looking for. Here it is 192.168.1.3

Note : The MAC and IP parameters inside the payload should not be referred as Source and Destination IP/MAC it should be referred only as Sender and Target IP/MAC.

Step 3: Switch receives the arp request and forwards it to all the interface except the one thorough which it received the ARP request. (Switches are Layer 2 devices and they make forwarding decisions based the mac address table they maintain. We are neither covering anything on ‘How switch works’ nor on MAC address table since it doesn’t come under the scope of this article. You can refer the article on ‘How Switches work’).

Step 4: This ARP request goes to all the devices in the LAN. In our case we just have three PCs in our lab to make the complexity of the article simple. So now Computer B (1.3) and Computer C (1.4) will receive. The Computer C (1.4) will drop the packet because of the target IP address in the request is not his IP address.

Step 5: Computer B (1.3) responds since the Target IP matches the Computer B ‘s IP. The ARP reply will look as follows.



Opcode is 2 means that it is an ARP reply. Remaining pieces are self-explanatory. By this time both 1.2 and 1.3 would have populated their own ARP Table. ARP Table is a table that every Networking devices will use to store the IP Address and MAC Address Mapping they learnt. You can see the ARP table in this article in sometime. Now Keep Reading!

Step 6: Computer A (1.2) uses this ARP reply to fill the Destination MAC address field. Note that, Sender MAC address of the ARP reply is the Destination MAC address. Frame is now completed and sent to Computer B (1.3).

Payload Protocol Src IP Dst IP Src MAC Dest MAC
Random Data ICMP 192.168.1.2 192.168.1.3 50:00:22:22:22:22 50:00:33:33:33:33

The incomplete Frame that we saw in Step 1 is now complete in Step 6 and sent out of 192.168.1.2.



Above image is the wireshark packet capture of Ping Request.

Step 7: Computer B (1.3) replies to Computer A (1.2) with same random data. Now, the Source IP, MAC will be computer B ‘s IP, MAC and Destination IP, MAC will be computer A ‘s IP, MAC.

Payload Protocol Src IP Dst IP Src MAC Dest MAC
Random Data ICMP 192.168.1.3 192.168.1.2 50:00:33:33:33:33 50:00:22:22:22:22

Computer B (1.3) knows the MAC address of Computer A (1.2) during the exchange of ARP Packets. So there is no point in doing ARP again for the Ping reply.



Now from the 2nd ping request that the Computer A initiates it won't go through ARP process because PCs use to store the learnt MAC address in the ARP table. Usually when we initiate ping from Linux PC's they start sending it with unlimited counts. You can stop it by using Ctrl+C. Window have a default count of 4 pings and Cisco Device has 5 ping counts.

Now its time to see the ARP table in Computer A (1.2)



We ll see the ARP table in Computer B (1.3)



Now we are done with ARP in the Same Network. If you are not tired we can have a look at How ARP works on different Network?